jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fix memory allocation failure handling in EAP-TTLS/MSCHAPv2 server

Browse source 
If the os_malloc() call for the User-Name value fails in EAP-TTLS
server, the inner MSCHAPv2 processing could have tried to dereference a
NULL pointer. Avoid this by handling this cleanly as an internal error
and reject the authentication attempt.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
This commit is contained in:
Jouni Malinen 2012-08-19 17:23:00 +03:00
parent 44ec48ebfd
commit a2f94dbe62
1 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
src/eap_server/eap_server_ttls.c
View file

@ -674,6 +674,13 @@ static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
return;
}
if (sm->identity == NULL) {
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity "
"known");
eap_ttls_state(data, FAILURE);
return;
}
/* MSCHAPv2 does not include optional domain name in the
* challenge-response calculation, so remove domain prefix
* (if present). */
@ -979,11 +986,12 @@ static void eap_ttls_process_phase2(struct eap_sm *sm,
if (parse.user_name) {
os_free(sm->identity);
sm->identity = os_malloc(parse.user_name_len);
if (sm->identity) {
os_memcpy(sm->identity, parse.user_name,
parse.user_name_len);
sm->identity_len = parse.user_name_len;
if (sm->identity == NULL) {
eap_ttls_state(data, FAILURE);
goto done;
}
os_memcpy(sm->identity, parse.user_name, parse.user_name_len);
sm->identity_len = parse.user_name_len;
if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
!= 0) {
wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "